By: Evan Francen, CEO, FRSecure
There are ten fundamental information security practices that should be followed in every organization:
Think Right, Get Help, Get Involved, Lead, Plan, Set Goals, Measure, Seek, Encourage and Prepare.
Some of these things you can delegate to others, and some of these thing you can’t. As CEO you need to ensure that they are all getting done.
Most people agree with us when we tell them that information security is a business issue, not an IT issue. Although most people will agree, most people don’t act in a way that agrees. We have come to realize that people do what they believe, more than they say what they believe. Thinking right will lead to acting right. Not only do we say that information security is a business issue, we actually ACT like information security is a business issue.
Information security management is a specialized skill, and every organization is different when it comes to what works best. You are not expected to be an expert, but you are expected to be informed. Get help from a trusted information security expert that can help you determine what role (specifically) you should take with respect to information security, and where your organization is with respect to information security management and risk.
There is nothing more important to the success of information security than active involvement and endorsement from the CEO. We’ve built hundreds of information security programs over the years, and we’ve tried building them with and without active CEO involvement. We’re convinced that the only way to manage security well within an organization is to involve leadership at the top.
Time and time again we hear that CEOs want to implement (or follow) best practices with respect to information security. Notice the word “follow”.
Best practices are really a collection of practices that an industry or group has generally accepted as good (or “best”). This is the herd mentality, and isn’t leadership at all. Remember when your mother told you “If your friends jump off a bridge, would you too?”
Two things about information security:
- You are never “secure”. At least not in the sense that it’s a destination to arrive at. Information security is relative and requires constant, ongoing attention.
- You can’t change overnight. Many of the practices and processes that are necessary to make your organization more secure require time. Maybe even a long time.
Setting goals equates to setting annual objectives for information security. The goals help the organization ensure that its (strategic) plan is carried out. Simple question; what are your organization’s information security goals and objectives for the next twelve months?
It’s hard to manage something that you can’t measure. If your organization has planned well and set goals well, then you should have progress that you can measure.
I was once asked by the CEO of a company who is a client of ours; “Evan, I appreciate all you do for us in keeping us secure, but will any of this make us more money?”
This is a great question. After all, we are in business to make money. If we are investing in things that don’t translate into making more money, then it’s pretty hard to justify doing these things. Information security is an investment in your organization, and shouldn’t be treated as just another cost center.
Recently, I was asked on the air by a radio show host; “Do you think that people are reluctant to share information security incidents because they are fearful that they will be punished or ridiculed?” She was speaking about employees coming forward to report an incident or potential incident. If people feel compelled for whatever reason to not share what they know, then they probably won’t. It doesn’t matter what the reason is. Encourage and reward transparency within your organization.
You need to know that no matter what we do or how much we invest (time, effort, money, etc.), we cannot possibly prevent all incidents and breaches. Regardless of what we do, we will still have a risk for loss. The goal is to minimize risk and prepare for the inevitable.
Ensure that your organization has planned for what you will do if/when you lose control of important information. The plan needs to be thorough, practical, and tested regularly.
As the CEO of your organization, you don’t need to do any or all of these 10 things yourself. You do need to be involved enough to ensure that all 10 of these things are being done within your organization and that they are done right and to your satisfaction. CEOs who don’t are more likely to encounter loss, including their jobs.
“FRSecure is a full-service information security management company that offers the highest level of expertise in protecting sensitive, confidential organizational information from unauthorized access, disclosure, distribution or destruction. Our information security analysts have an average of 15+ years professional experience in the industry, spanning multiple verticals such as education, non-profit, government, healthcare, banking and law firms.”